Hack a Lock, Get a Free Car?

No, we’re not talking about any lock, or car for that matter. The creators of Loxet are so confident in their product, a smart lock for your car, they’ve issued a challenge to the world. If you can defeat it, you can keep the car — sadly the car isn’t anything special though.

The device, after installed on your vehicle, gives you a taste of the premium lifestyle of fancy push-to-start vehicles. It automatically unlocks your vehicle when you come near with your cellphone, and only your cellphone. It also has the option to give access to friends and family using an invite system. It controls ignition access, and works as a proximity lock.

The car is located at ul. Straszewskiego 14 in Krakow. If you’re not from Poland, [Matt] recommends you team up with a local to try your hack. The alternate prize (if you’re not from Poland or don’t want the car) is $2000.

The car is just sitting there. We’d love to see some 1st person attempts from any of our Polish readers living in Krakow! It is currently set to unlock and lock every 10 minutes. You might be able to get into the vehicle — but will you be able to take it? Let us know!

[Thanks for the tip Maxim!]

63 thoughts on “Hack a Lock, Get a Free Car?

    1. preposterous!!

      if I can get into the car i can get under the hood. if i can get under the hood i can bypass any and all components of the ignition system, including but not limited to the coil, distributor, and of course their push-to-start system.

      i wonder if that’s a disqualification, but it shouldn’t be – this is one of the moves the more sophisticated thieves will do (bring a small battery and separate complete ignition system).

      also, would bringing a snatcher truck count as ‘bypassing’ the system? i mean it gives me all day to take it into my garage, replace the ignition system, and then keep the…. jaloppy.

      1. What about the fact that , even when you do not want to use your car , you come within the proximity and it opens your car. To open my car i use my remote , and it only opens when i am using my car. I have installed the BTCAR of a Brazilian firm that shut of the motor, immobilizes it when i am away and when i´m comming back it will work normally. Completelly automatic without taking my phone in my hands. Unlike the Loxet , thisone is protected with a proccesor that checks 3 cridencials before liberating my car.If one is´nt there my car will not function. It stores the info of my phone automatically the first time it connects than it´s proximity time. The casing is not so beautifull but it Works like a charme and that´s what matters. We where trying to hack it but without any fisical changes it´s impossible, And like you state it doesn´t open door so than can not come under the hood easely. Fro me it´s the best solucion if the thiefs steal my Keys from my home and want to steal my car. the won´t come very far.

  1. You forgot to add that to win one must open it without touching the car. Otherwise any Pole could steal it. The car is nothing special, because Loxet is a small start-up company and they can’t afford anything better. Still free car is a free car.

  2. Am I wrong in thinking that decompiling the apk, changing some code, and recompiling the app should do it?
    Can bluetooth MAC addresses be spoofed? Looks like LoxedUtils.java source file may hold the key. Where do we test this in the US?

          1. Ooooohhh, I love these. Irrelevant comments I need to triage and moderate before someone goes off on a tangential rant that eventually breaks comment threading. Don’t make me delete a bunch of stuff, people. Replying to Mango will break threading.

    1. Briefly looking at it, I’m more interested in the code in DeviceUUIDFactory.class.

      Specifically:

      String str2 = Settings.Secure.getString(paramContext.getContentResolver(), “android_id”);
      try
      {
      if (!”9774d56d682e549c”.equals(str2))
      {
      uuid = UUID.nameUUIDFromBytes(str2.getBytes(“utf8”));
      localSharedPreferences.edit().putString(“device_id”, uuid.toString()).commit();
      continue;
      }

      Having a hard coded UUID in there makes me curious as a start. The entire thing has way too many hard coded values for my liking – the entire AES block is a good example. The lock command is public, I haven’t traced back far enough to figure out where it is called I’ve just been poking around, but you would have to figure that the user logging in triggers the API on the server side first. Would make me interested to see what happens if you walked up as the owner was walking away, but that’s for a morning not a night.

    2. Yeah, bluetooth addresses can be changed pretty easily depending on the chipset.

      For most broadcom chips you can set the mac address by hci:
      hcitool cmd 0x3f 0x1 0x11 0x22 0x33 0x44 0x55 0x60
      will set the mac to 60:55:44:33:22:11 (until you power down the chip)

      On CSR chips you can set it forever:
      bccmd -d hci0 psset -s 0x0002 0x0001 0x33 0x00 0x11 0x22 0x44 0x00 0x55 0x60
      will again give: 60:55:44:33:22:11

  3. I don’t get it. The app is cycling the lock constantly, they gave the address, the car is yours to take if you can gain entrance… but you must do it without physical interaction? So they expect you to disable the protection then don’t enter the car. Because that would be physical interaction. This is what I call a conflict. I think anyone else here could easily figure out that you open the door when the app cycles the door locks to open. Game over. Yet that’s not how they want you to steal it. What thief would realistically have time for that? If this is a real world test, they left the biggest real life exploit right at the front door.

    1. One must break the protocol and API in order to gain access. The car is locked and unlocked by smartphone automatically for people who might try getting the encryption keys (generated when smartphone is paired with the loxet device). That’s also why they gave their app to anyone who wants to try. It’s a simulation of real theft by breaking the software.The rules prevent from just opening the door and jump-starting the car. Also the parking lot is monitored.

        1. Actually a lot of modern thieves steal cars by exploiting software such as cloning or man in the middle attacks on the keyless fob system.
          I remember reading a story about a car thief who specialized in stealing high end luxury cars with key less start because he didn’t have to physically break anything to steal the car.
          No broken windows and busted key lock to tip off the police before the vehicle gets reported stolen.

      1. This isn’t a good test of the antitheft of the car. If the car is unlocked at any point and the keys inside, well there ya go. It’s yours to take if you can open it fast enough before it locks on you again. The speed of it means even an elderly woman could steal the car. Also, from the sound of it, it’s a Bluetooth operated device so simply driving away from the damn transmitter pretty much breaks the security entirely. So regardless of breaking the protocol, while that was the point, it is now moot to show the strength of your security when the test environment can be exploited with common sense.

        Also, simply utilizing a signal jammer in the 2.4ghz realm will render your smartphone incapable of locking the door after exiting the vehicle. There are more ways to skin a cat still.

      2. Instead of attacking the device and reverse engineering it’s protocol why not try and exploit the smart phone it’s running on as that’s probably the weakest link.

      3. It’s not a real test it is a PR trick / free advertising. As such it can be disregarded as having any value. IRL you could use all the possible methods and the system inevitably has some flaws.

        They don’t want ppl to succede.

        1. They’re selling an electronic lock thingummy. Not the solution to all car theft ever. The test is for the lock. Yes there are other ways to steal cars, but that’s not the product they’re selling. If the lock itself is secure, then you have the convenience of remote opening, and just as much vulnerability to other theft methods as every other car.

    1. I think it’s fairly obvious the rules are that you have to break the system of software and hardware Loxet have created, by getting the car to open / start remotely by sending it radio signals. Obviously smashing the window, or opening the bonnet and messing with the hardware, don’t count. The element being tested is the remote-access. Once you have defeated that, of course you can physically touch the car to drive it away. Although I’d expect Loxet would appreciate a phone call.

      If you just want to jack the door open, or social engineer somebody, there’s plenty of other cars you can steal. This isn’t a steal-a-car-by-pedantry contest.

    1. It’s worth at least $2000 in publicity. And if their system’s any good, they won’t have to give the car away anyway. If the car IS stolen, then it’ll cost them a lot more in ruined business, since nobody wants a lock you can break with an Instructable. They’re putting their business on the line, to show complete faith in their product. Companies used to do that in the old days, when men had nuts.

      1. This isn’t much of a risk. It’s a junker. If they had the nuts they would get an investor behind them and put a modern car out there, without the keys in the car of course.

    2. Clearly you are DainBramaged, because this is a great publicity stunt for the company. Sure the test may not be perfect and there may be other ways to do it, but they are going to get loads of attention and potentially a successful security demonstration out of it.

      1. Only the naive would believe this product would make their car more secure. Convenient, yes, but not anymore secure than a regular lock. They’re only demonstrating that their product is secure from the protocol aspect. Whoopdy freakin’ doo. Placing these artificial limitations on whoever attempts this shows nothing about the product’s ability to secure your car. What difference would it make to a thief if you had these locks on it or not? It’s just like installing heavy steel doors in a house and telling people they can have the house, but they can’t use tools.

  4. OK I can’t believe how many ignorant people feel inclined to leave comment. Most of them didn’t even read whole article. Free car…. omg. It must be porche and it must be so easy as breaking window or towing it away… And they should pay me airfare to go there and try my intelligent idea. But most of them wouldn’t even know how to hotwire 1968 ford truck. Phewy..

  5. Without looking in to the code and hardware. I would assume that they are using that phone in parking lot for some strong reason. They must be generating floating key every time operation is done. On initial Bluetooth authentication floating key is generated and used for next interaction with onboard electronic, after interaction new key is generated exchanged and used for next interaction. This way if Bluetooth layer is hacked / spoofed there is one more security layer left. This would be quite limiting factor that give you only 10 minutes to spoof Bluetooth and than hack sec key. Than that phone is opening and closing lock again thus generating completely new set of keys, and you are back to square one. If you are about to jam RF signal after doors are open you are left with engine lock that also require interaction with phone/key. Now this jamming might give you some extra time to hack floating key and this is only if they didn’t built internal safety counter / timer. But there is also great possibility that in absence of paired phone / heartbeat doors are automatically locked. ( Real world scenario you park leave and lock is engaged )
    As somebody sad they are putting their company reputation online and 2000 or car value is nothing in comparison. I would prefer to see that person responsible for such successful hack is hired by them.

    1. Re: the heartbeat…. You’re driving down the outside lane of the motorway at 80MPH. Your phone’s battery runs out. The heartbeat stops… ummm…

      * Car engine cuts out
      * Breaks stop working well since there’s no servo
      * Steering locks (assuming it activates the column lock)
      * Doors lock…

      Are you dead yet?

    1. Nice principles and values you have. Are you feeling inferior, angry when challenged. So scared that you are ready to torch the problem that you can’t solve. I’m wondering are you going to do same thing with disobedient child ? Take my advice, visit some professional and have a talk.

  6. This whole challenge is absurd. If I’m (hypothetically, of course) a criminal, do I build the $50,000 supercomputer to break the crypto key or do I hit you with a $2 wrench and take your keys/phone/whatever? Criminals, like good engineers, go for the shortest route to success.

    1. And then go to jail for years and years for assault. Sounds like you would not be a good criminal, which isn’t a bad thing per se I guess.

      Also in the movies you can hit someone with a wrench or something and they perfectly pass out without further issues, but in reality you either kill the person or the person isn’t knocked out I’m sure, and then you got issues. Or the person becomes crippled or some such, and the person might be able to identify you too, so then what? in any case you look at decades of prison in many of such scenarios, for a cheap car..

      1. I hope you learn to appreciate how moronic that comment is. Do you really think someone that would be willing to steal your car would really think twice about beating the keys out of you in the first place?? Of course not.

        1. No, you’re a moron.

          There’s a big difference between stealing a car, insured property, and smashing someone’s bones and possibly killing them. Both in terms of the associated prison sentence, and simple morality. It’s also riskier. Stealing a car is a sneaky and dishonest thing to do, beating someone half to death is psychopathic and vicious. Many fewer people would be prepared to smash a stranger’s head in, than would steal his car.

  7. I love challenges like this. It makes me trust their product even more if they can offer something with completely real world testing and asking people to try to break it. I usually just call a locksmith. It’s so much easier. Anyone else too lazy to break into their own car and just want a locksmith?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s